Stream learning and anomaly-based intrusion detection in the adversarial settings

Despite existing many anomaly-based intrusion detection studies in the literature, they are not frequently adopted by the industry in production environments (products). Such a usage gap occurs mainly due to the difficulty to maintain the detection rate in acceptable level, given the occurrence of false alarms. In general, the literature does not consider the adversarial settings, when an opponent attempt to evade the detection system, thus possibly rendering the system unreliable over time. In this paper, we propose and evaluate a new approach to reliably perform real time stream learning for anomaly-based intrusion detection. We employ a class-specific stream outlier detector to automatically update the intrusion detection engine over the time, and a rejection mechanism, which makes it possible to obtain indications that an evasion attempt might being happening. Furthermore, the proposal is resilient to causative attacks, providing a secure intrusion detection mechanism even when the attacker can inject misclassified instances in the training dataset. The evaluation tests show that the proposed approach is resilient to exploratory attacks, allowing the system administrator to know when an evasion attempt might be occurring.

[1]  Yannis Manolopoulos,et al.  Continuous monitoring of distance-based outliers over data streams , 2011, 2011 IEEE 27th International Conference on Data Engineering.

[2]  Blaine Nelson,et al.  Exploiting Machine Learning to Subvert Your Spam Filter , 2008, LEET.

[3]  Ling Huang,et al.  ANTIDOTE: understanding and defending against poisoning of anomaly detectors , 2009, IMC '09.

[4]  Pavel Laskov,et al.  Practical Evasion of a Learning-Based Classifier: A Case Study , 2014, 2014 IEEE Symposium on Security and Privacy.

[5]  Dorothy E. Denning,et al.  An Intrusion-Detection Model , 1987, IEEE Transactions on Software Engineering.

[6]  R. Stephenson A and V , 1962, The British journal of ophthalmology.

[7]  Thiago J. M. Moura,et al.  Combining diversity measures for ensemble pruning , 2016, Pattern Recognit. Lett..

[8]  V Jyothsna,et al.  A Review of Anomaly based Intrusion Detection Systems , 2011 .

[9]  Ricard Gavaldà,et al.  Learning from Time-Changing Data with Adaptive Windowing , 2007, SDM.

[10]  Stefan Axelsson,et al.  The base-rate fallacy and the difficulty of intrusion detection , 2000, TSEC.

[11]  Haibo He,et al.  Incremental Learning From Stream Data , 2011, IEEE Transactions on Neural Networks.

[12]  Vern Paxson,et al.  Outside the Closed World: On Using Machine Learning for Network Intrusion Detection , 2010, 2010 IEEE Symposium on Security and Privacy.

[13]  Gabriel Maciá-Fernández,et al.  Anomaly-based network intrusion detection: Techniques, systems and challenges , 2009, Comput. Secur..

[14]  Sanjay Ranka,et al.  An effic ient k-means clustering algorithm , 1997 .

[15]  Fabio Roli,et al.  Adversarial attacks against intrusion detection systems: Taxonomy, solutions and open issues , 2013, Inf. Sci..

[16]  Luiz Eduardo Soares de Oliveira,et al.  Automatic Recognition of Handwritten Numerical Strings: A Recognition and Verification Strategy , 2002, IEEE Trans. Pattern Anal. Mach. Intell..

[17]  Luiz Eduardo Soares de Oliveira,et al.  Towards an Energy-Efficient Anomaly-Based Intrusion Detection Engine for Embedded Systems , 2017, IEEE Transactions on Computers.

[18]  G. Maciá-Fernández,et al.  Anomaly-based network intrusion detection: Techniques, systems and challenges , 2009, Comput. Secur..

[19]  Christopher Krügel,et al.  Protecting a Moving Target: Addressing Web Application Concept Drift , 2009, RAID.